@bgooley    That was quite a good list of steps I could find after searching a lot for procedures on upgrading the TLS 1.1 to 1.2. I actually applied these steps on one of our test environment  on CDH 5.13 cluster on centos 6 wihin our organization and submitted for the vulnerability scan and the report has come up with quite a number of ports still have TLS 1.1 and are vulnerable These are the ports:   11371 -- KTS server 11381-- postgresssql database 50475  External -  Datanode-- dfs.datanode.https.address 13562  Yarn //mapreduce.shuffle.port 9093--kafka 8985 -- solr_https_port 8044 --Yarn,node manager --yarn. nodemanager. webapp.https.address 20550 --hbase.rest.port 19890-- Yarn Job history server, mapreduce. jobhistory. webapp.address 11443 -- Oozie server 9095 --Hbase Thrift server 8889 -- Hue load balancer 60010 -- hbase.master. info.port (http) 7187-- Cloudera manager server (metadataserve/https web UI) 50470 -- dfs.https.address or dfs.namenode.https-address (dfs.https.addressis deprecated (but still works) 14000 -- HttpFS 8481 --Hadoop --dfs.journalnode. https-address 8090 -- yarn. resourcemanager. webapp.https.address 8044 ---yarn. nodemanager. webapp.https.address 60030 -- hbase. regionserver. info.port.   please let us know how we can overcome/resolve this issue.   Thanks Suresh . ... View more